b'         DOD COMPLIANCE WITH THE INFORMATION\n         ASSURANCE VULNERABILITY ALERT POLICY\n\n\nReport No. D-2001-013               December 1, 2000\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General, DoD,\n  Home Page at www.dodig.osd.mil or contact the Secondary Reports Distribution\n  Unit of the Audit Followup and Technical Support Directorate at (703) 604-8937\n  (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-2885\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, D.C. 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nASD(C3I)              Assistant Secretary of Defense (Command, Control,\n                        Communications, and Intelligence)\nC/S/A                 Commanders in Chief, Services, and Defense agencies\nCERT                  Computer Emergency Response Team\nDISA                  Defense Information Systems Agency\nIAVA                  Information Assurance Vulnerability Alert\nOSD                   Office of the Secretary of Defense\n\x0c\x0c                        Office of the Inspector General, DoD\nReport No. D-2001-013                                              December 1, 2000\n    (Project No. D2000AS-0086.003)\n    (formerly Project No. OAS-6104.03\n\n             DoD Compliance With the Information Assurance\n                       Vulnerability Alert Policy\n\n                                  Executive Summary\n\nIntroduction. The Deputy Secretary of Defense issued an Information Assurance\nVulnerability Alert (IAVA) policy memorandum on December 30, 1999. Recent events\ndemonstrated that widely known vulnerabilities exist throughout DoD networks, with\nthe potential to severely degrade mission performance. The policy memorandum\ninstructs the Defense Information Systems Agency to develop and maintain an IAVA\ndatabase system that would ensure a positive control mechanism for system\nadministrators to receive, acknowledge, and comply with system vulnerability alert\nnotifications. The IAVA policy requires the Commanders in Chief, Services, and\nDefense agencies to register and report their acknowledgement of and compliance with\nthe IAVA database. According to the policy memorandum, the compliance data to be\nreported should include the number of assets affected, the number of assets in\ncompliance, and the number of assets with waivers. The policy memorandum provided\nfor a compliance review by the Inspector General, DoD.\n\nObjectives. The audit objective was to evaluate the progress that DoD made in\ncomplying with the Deputy Secretary of Defense policy memorandum on IAVA.\n\nResults. As of August 2000, DoD progress in complying with the Deputy Secretary of\nDefense IAVA policy memorandum had not been consistent. At that time, all 9\nCommanders in Chief, 4 Services, and 14 Defense agencies had registered as reporting\nentities with the IAVA database, but 4 other DoD Components had not. Also,\ninformation contained in the database for the alerts posted in 2000 showed that of the\nComponents that had registered, only four Commanders in Chief, one Service, four\nDefense Agencies, and two other DoD Components had reported compliance in\naccordance with the IAVA policy. As of November 2000, however, DoD had made\nsignificant progress in IAVA implementation. The four DoD Components that had not\nregistered were reporting through the Office of the Secretary of Defense point of\ncontact and are no longer required to register separately. All Commanders in Chief, 2\nof the 4 Services, and 13 of the 14 Defense agencies were now reporting in compliance\nwith IAVA policy. The Defense Security Service, the one remaining Defense agency\nthat had not fully complied with the reporting requirements, was working to put an\ninfrastructure in place for reporting in accordance with the policy. Of the other DoD\ncomponents, the Office of the Secretary of Defense was not yet reporting compliance in\naccordance with IAVA policy; however, it planned to be fully compliant by April 2001.\nCompliance by the Office of the Secretary of Defense is critical because 20 other DoD\norganizations will be reporting through it. Effective implementation of IAVA policy\nwill help ensure that DoD Components take appropriate mitigating actions against\nvulnerabilities to avoid serious compromises to DoD computer system assets that would\npotentially degrade mission performance.\n\x0cSummary of Recommendations. We recommend that the Assistant Secretary of\nDefense (Command, Control, Communications, and Intelligence) revise and expedite\nthe release of the DoD IAVA Instruction, develop a DoD IAVA implementation plan,\nand finalize and approve the internal instruction for the Office of the Secretary of\nDefense that outlines the roles and reporting responsibilities of DoD organizations that\nwill report IAVA compliance through the Office of the Secretary of Defense point of\ncontact.\n\nWe recommend that the Secretaries of the Army and Air Force; the Commandant of the\nMarine Corps; the Commanders of the U.S. European Command, U.S. Southern\nCommand, U.S. Special Operations Command, U.S. Transportation Command, and\nU.S. Strategic Command; the Directors of the Ballistic Missile Defense Organization,\nDefense Advanced Research Projects Agency, Defense Commissary Agency, Defense\nContract Audit Agency, Defense Finance and Accounting Service, Defense Intelligence\nAgency, Defense Prisoner of War/Missing Personnel Office, Defense Security Service,\nDefense Threat Reduction Agency, Joint Staff, National Imagery and Mapping Agency,\nand National Reconnaissance Office report compliance by stating the number of assets\naffected, the number of assets in compliance, and the number of assets with waivers, as\nstated in the Deputy Secretary of Defense policy memorandum.\n\nManagement Comments. The Director, Information and Infrastructure, Office of the\nAssistant Secretary of Defense (Command, Control, Communications, and\nIntelligence), concurred with the recommendation on developing the DoD IAVA\ninstruction and concurred that details about IAVA implementation needed to be\naddressed. However, the Director stated that an implementation plan was not required\nbecause the DoD Instruction on Information Assurance Vulnerability Reporting and\nMitigation would address those details. The Deputy Director, Defense Network\nOperations, Office of the Assistant Secretary, provided comments that addressed the\nIAVA internal process of the Office of the Secretary of Defense. The management\ncomments concurred with the recommendation to report compliance in accordance with\nthe Deputy Secretary of Defense policy memorandum. However, the Army and Air\nForce did not comment on the recommendation and, as of November 6, 2000, they\nwere still not reporting in accordance with policy. A discussion of management\ncomments is in the Finding section of the report and the complete text is in the\nManagement Comments section.\nAudit Response. The comments that we received were fully responsive. As a result\nof comments from the Joint Staff, we revised the recommendation on developing and\ndisseminating an implementation plan for IAVA to include training in addition to\nregistration, reporting, and compliance guidance. Also, based on the Deputy Director,\nDefense Network Operations\xe2\x80\x99 comments, we added a recommendation that the\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\nfinalize the internal instruction for the Office of the Secretary of Defense relating to the\nIAVA process. Therefore, in response to the final report, we ask that the Assistant\nSecretary of Defense (Command, Control, Communications, and Intelligence) comment\non the recommendations by January 30, 2001. Also, the Army and Air Force did not\ncomment on the draft report; therefore, we request that they provide comments on the\nfinal report by January 30, 2001.\n\n\n\n\n                                             ii\n\x0cTable of Contents\n\nExecutive Summary                                                            i\n\n\nIntroduction\n     Background                                                              1\n     Objectives                                                              2\n\nFinding\n     DoD Compliance with the Information Assurance Vulnerability Alert\n       Policy                                                                3\n\nAppendixes\n     A. Audit Process\n           Scope and Methodology                                            13\n           Prior Coverage                                                   14\n     B. Commanders in Chief, Services, Defense Agencies, and other DoD\n           Components Required to be Registered Users                       15\n     C. Acknowledgement of the Information Assurance Vulnerability Alerts\n           Issued in 2000                                                   18\n     D. Compliance With the Information Assurance Vulnerability Alerts\n           Issued in 2000                                                   20\n     E. Information Assurance Vulnerability Alert Process                   22\n     F. Report Distribution                                                 23\n\nManagement Comments\n     Assistant Secretary of Defense (Command, Control, Communications,\n           and Intelligence)\n           Director, Infrastructure and Information Assurance               27\n           Deputy Director, Defense Network Operations                      31\n     U.S. Southern Command                                                  35\n     Defense Advanced Research Projects Agency                              36\n     Defense Commissary Agency                                              38\n     Defense Contract Audit Agency                                          40\n     Defense Finance and Accounting Service                                 41\n     Defense Security Service                                               43\n     Defense Threat Reduction Agency                                        45\n     Joint Staff                                                            46\n     Department of Defense Education Activity                               48\n     Washington Headquarters Services                                       50\n\x0cBackground\n    Information assurance is an essential element of operational readiness and is\n    based on the need for accurate and timely exchange of information. With the\n    advances in information technology, new vulnerabilities to the critical\n    infrastructure are evolving. On February 15, 1998, the Deputy Secretary of\n    Defense issued a classified memorandum, \xe2\x80\x9cInformation Assurance,\xe2\x80\x9d which\n    instructed the Defense Information Systems Agency (DISA), with the assistance\n    of the Military Departments, to develop an alert system that ensured positive\n    control of information assurance. According to the memorandum, the alert\n    system should:\n\n           \xe2\x80\xa2   identify a system administrator to be the point of contact for each\n               relevant network system,\n\n           \xe2\x80\xa2   send alert notifications to each point of contact,\n\n           \xe2\x80\xa2   require confirmation by each point of contact acknowledging receipt\n               of each alert notification,\n\n           \xe2\x80\xa2   establish a date for the corrective action to be implemented, and\n\n           \xe2\x80\xa2   enable DISA to confirm whether the correction has been\n               implemented.\n\n    In another memorandum, February 19, 1998, the Deputy Secretary of Defense\n    directed DoD Components to develop an action plan to detect cyber intrusion.\n    Each Component\xe2\x80\x99s action plan should include a process for correcting existing\n    vulnerabilities and for providing formal training and certification of the network\n    operators, system administrators, and information system security officers. The\n    action plan should also include a process for conducting periodic analysis and\n    assessing information assurance vulnerabilities.\n\n    Information Assurance Vulnerability Alert Policy Memorandum. On\n    December 30, 1999, the Deputy Secretary of Defense issued an Information\n    Assurance Vulnerability Alert (IAVA) policy memorandum requiring all the\n    Commanders in Chief (CINC), the Services, and Defense agencies (C/S/A) to\n    register and comply with the IAVA process. The IAVA policy establishes the\n    roles and responsibilities for the Assistant Secretary of Defense for Command,\n    Control, Communications, and Intelligence (ASD[C3I]) and the Defense\n    Components. The policy memorandum tasked the ASD(C3I) with the\n    responsibility to implement the IAVA process.\n\n    The policy memorandum tasked DISA with the responsibility to manage the\n    IAVA process and distribute the alerts to the C/S/As. Each C/S/A will\n    designate a primary and secondary point of contact responsible for\n    acknowledging receipt of the IAVA notifications and for reporting compliance.\n    Each C/S/A is also responsible for disseminating the notifications to all\n    personnel who can implement and manage the technical responses to the IAVAs.\n\n\n                                         1\n\x0c    In addition, according to the policy memorandum, a DoD Instruction will be\n    developed to formalize the IAVA process. Meanwhile, the memorandum\n    provided for a compliance review by the Inspector General, DoD.\n\n    The 1999 DoD Chief Information Officer Annual Information Assurance\n    Report. The report, which was issued to Congress in February 2000, stated\n    that DISA had an operational system that disseminates vulnerability alerts and\n    tracks DoD Component compliance with the alerts. The report also stated that a\n    DoD Instruction was being developed to formalize the notification process.\n\nObjective\n    Our audit objective was to evaluate the progress that DoD made in complying\n    with the Deputy Secretary of Defense policy memorandum on IAVA. See\n    Appendix A for a discussion of the audit scope and methodology.\n\n\n\n\n                                       2\n\x0cInformation Assurance Vulnerability\nAlert Policy\nIn August 2000, when we issued the draft audit report, DoD progress in\ncomplying with the Deputy Secretary of Defense policy memorandum\nhad not been consistent. At that time, all 9 CINCs, 4 Services, and\n14 Defense agencies had registered as reporting entities with the IAVA\ndatabase, but 4 other DoD Components had not. Also, information\ncontained in the IAVA database for the alerts posted in 2000, showed\nthat of those Components that had registered, only four CINCs, one\nService, four Defense agencies, and two other DoD Components had\nreported compliance in accordance with the IAVA policy. Adequate\nimplementation and compliance with the Deputy Secretary of Defense\npolicy memorandum, dated December 30, 1999, was lacking because the\nASD (C3I) had not:\n\n       \xe2\x80\xa2   finalized a DoD Instruction to formalize the IAVA process,\n           and\n\n       \xe2\x80\xa2   developed a DoD implementation plan to require the CINCs,\n           Services, and Defense agencies to register, report, and\n           comply with IAVA notifications.\n\nAs of November 2000, DoD had made significant progress in IAVA\nimplementation. The four DoD Components that had not registered were\nreporting through the Office of the Secretary of Defense (OSD) point of\ncontact and are no longer required to register separately. All CINCs, 2\nof the 4 Services, and 13 of the 14 Defense agencies were now reporting\nin compliance with IAVA policy. The Defense Security Service, the one\nremaining Defense agency that had not fully complied with the reporting\nrequirements, was working to put an infrastructure in place for reporting\nin accordance with the policy. Of the other DoD Components, OSD was\nnot yet reporting compliance in accordance with IAVA policy; however,\nOSD planned to be fully compliant by April 2001. Compliance by OSD\nis critical because 20 other DoD organizations will be reporting through\nit (see Appendix B).\n\nComplete implementation of IAVA policy will help ensure that DoD\nComponents take appropriate mitigating actions against vulnerabilities to\navoid serious compromises to DoD computer system assets that would\npotentially degrade mission performance.\n\n\n\n\n                            3\n\x0cIAVA Policy Requirements\n\n    The IAVA policy memorandum requires each C/S/A to register in the IAVA\n    database located on the IAVA website, acknowledge receipt of IAVA\n    notifications, and report compliance.\n\n    Registration. To register in the IAVA database, each point of contact should\n    contact DISA to obtain a DISA Form 41. When DISA receives the completed\n    form, it will issue a user identification name and password so that the point of\n    contact can gain access to the IAVA database.\n\n    According to the Director, Infrastructure and Information Assurance\n    Directorate, Office of ASD (C3I), the IAVA policy applies to all DoD\n    Components. In August 2000, at the time of the issuance of our draft audit\n    report, all 9 CINCs, 4 Services, and 14 Defense agencies had registered as\n    reporting entities, but 4 other DoD Components had not registered. As of\n    November 2000, all DoD Components were effectively registered because OSD\n    had decided that the four organizations that had not registered are reporting\n    through OSD and, therefore, will not be required to register separately.\n    Appendix B provides a detailed list of the DoD Components and also identifies\n    those that will not register separately but will report through OSD.\n\n    Acknowledgement of Receipt. Once a point of contact is registered with the\n    IAVA database, DISA notifies the point of contact by electronic mail when an\n    IAVA is issued. The electronic mail message directs the point of contact to\n    access the DoD Computer Emergency Response Team (CERT) website and\n    review the posted IAVA notification. Each point of contact is to acknowledge\n    receipt of the IAVA notification to the IAVA database within 5 days, unless\n    specified otherwise. Appendix C shows DoD Components\xe2\x80\x99 acknowledgement to\n    the alerts posted in 2000. As of November 2000, all DoD Components were\n    complying with the acknowledgement requirements.\n\n    Report Compliance. The points of contact are to implement the corrective\n    action necessary to fix the vulnerability and report the status of compliance to\n    the IAVA database within 30 days, unless specified differently in the IAVA\n    message. The policy memorandum requires that compliance information must\n    include the number of assets affected, the number of assets in compliance, and\n    the number of assets with waivers. As of August 2000, only four CINCs, one\n    Service, four Defense agencies, and two other DoD Components had reported\n    compliance in accordance with IAVA policy. However, information extracted\n    from the IAVA database on November 6, 2000, showed significant\n    improvement. All CINCs, 2 of the 4 Services, and 13 of 14 Defense agencies\n    were now reporting in compliance with IAVA policy. Of those categorized as\n    other DoD Components, OSD was not yet reporting compliance in accordance\n    with IAVA policy, but was taking actions to become fully compliant.\n    Appendix D shows DoD Components\xe2\x80\x99 compliance to the alerts posted in 2000.\n\n          CINCs. We obtained information from the IAVA database to determine\n    whether the nine CINCs had complied with the IAVA policy for the three alerts\n\n                                        4\n\x0cposted in 2000. At the time of the issuance of our draft audit report in August\n2000, four CINCs reported compliance data as outlined in the IAVA policy. As\nof November 2000, all CINCs were reporting compliance data in accordance\nwith the policy.\n\n      Services. We contacted the Services to determine whether they were\nimplementing the IAVA policy and disseminating the IAVA notifications to all\nprogram managers, system administrators, and other personnel responsible for\nimplementing and managing technical responses.\n\nThe Services had implemented a positive control mechanism for ensuring\ncompliance with IAVA notifications. The Services stated that they had\ndeveloped a process to receive alert notifications and to disseminate the alerts to\nthe lowest level.\n\nAt the time of the issuance of our draft report, only the Navy was reporting\ncompliance data to the IAVA database in accordance with the standards set forth\nin the IAVA policy memorandum. As of November 2000, the Marine Corps\nwas also reporting correctly. The Army and Air Force were still not reporting\nin accordance with policy. The Army was reporting compliance in the form of\npercentages, and the Air Force was reporting compliance by stating that it was\nin compliance.\n\n        Defense Agencies. At the time of the issuance of our draft report, only\nfour Defense agencies reported compliance in terms of number of assets\naffected, number of assets in compliance, number of waivers requested, and\nnumber of waivers approved or by indicating that the IAVA was not applicable\nto their assets. The remaining Defense agencies reported compliance data by\nstating either that they were compliant or they did not indicate any form of\ncompliance. As of November 2000, the reporting situation had improved. Only\none Defense agency, the Defense Security Service, had not complied with the\nreporting requirements, but it was working to put an infrastructure in place for\nreporting in accordance with the policy.\n\n        Other DoD Components. At the time of the draft report, the IAVA\ndatabase indicated that two other Components (Washington Headquarters\nServices and the Inspector General) reported compliance data in accordance with\nthe policy memorandum. The remaining three other DoD components that were\nregistered (OSD, Joint Staff, and Defense Prisoner of War/Missing Personnel\nOffice) reported by stating either that they were compliant or they did not\nindicate any form of compliance. OSD had not acknowledged receipt of IAVA\nnotifications or reported compliance in accordance with IAVA policy because a\nformal internal compliance process had not been finalized and personnel had not\nbeen trained. OSD developed a draft IAVA implementation plan and a draft\nIAVA instruction, but both documents needed to be approved by ASD(C3I)\nbefore OSD would be able to comply with the IAVA policy tasking. OSD set a\ntentative date of February 5, 2001, to train all personnel and establish a process\nfor reporting compliance with the IAVA policy.\n\nAs of November 2000, OSD was acknowledging receipt of IAVA notifications,\nbut was not yet reporting compliance in accordance with IAVA policy.\n\n                                     5\n\x0c    However, the Deputy Director, OSD Network Operations, stated that the IAVA\n    system would be fully implemented within OSD in April 2001. At that time, all\n    OSD umbrella organizations (those organizations that would report IAVA\n    compliance through OSD) would register all assets affected, the number of\n    assets in compliance, and the number of assets with waivers and, therefore, be\n    able to report in accordance with the IAVA policy. Additional audit work since\n    the issuance of the draft report disclosed that the Joint Staff was now reporting\n    compliance in accordance with the IAVA policy memorandum. The Defense\n    Prisoner of War/Missing Personnel Office is an OSD umbrella organization that\n    will report to OSD.\n\n            OSD Umbrella Organizations. The OSD umbrella organizations that\n    will report directly to OSD include the Under Secretary of Defense for\n    Acquisition, Technology, and Logistics; the Under Secretary of Defense for\n    Policy; the Under Secretary of Defense (Comptroller and Chief Financial\n    Officer); the Under Secretary of Defense for Personnel Readiness; the Assistant\n    Secretary of Defense (Command, Control, Communications, and Intelligence);\n    the Assistant Secretary of Defense for Health Affairs; the Assistant Secretary of\n    Defense for Intelligence Oversight; the Assistant Secretary of Defense for\n    Legislative Affairs; the Assistant Secretary of Defense for Public Affairs; the\n    Assistant Secretary of Defense for Reserve Affairs; the General Counsel; the\n    Executive Secretary of the Department of Defense; the Director, Operational\n    Test and Evaluation; the Director, Program Analysis and Evaluation; the\n    Director, American Forces Information Services; the Director, Defense Prisoner\n    of War/Missing Personnel Office; the Director, DoD Education Activity; the\n    Director, DoD Human Resources Activity; the Director, Office of Economic\n    Adjustment; and the Director, TRICARE Management Activity.\n\n    The Deputy Director, OSD Network Operations, stated that the draft OSD\n    instruction for the umbrella organizations, \xe2\x80\x9cOSD Information Assurance\n    Vulnerability Assessment,\xe2\x80\x9d was provided to ASD(C3I) for coordination and\n    approval in July 2000; however, as of November 2000, the instruction was not\n    finalized. The draft instruction outlines the roles and responsibilities for the\n    OSD umbrella organizations to report compliance through the IAVA Desk\n    Officer within the OSD Information Technical Directorate.\n\n\n\nImplementation of the IAVA Policy\n\n    We attributed the poor implementation status of the IAVA process at the time of\n    our draft report to the lack of implementation of the Deputy Secretary of\n    Defense IAVA policy memorandum. As of November 2000, the ASD(C3I) had\n    not issued a final Instruction formalizing the IAVA process and had not\n    developed an implementation plan for IAVA compliance.\n\n    Status of Instruction. According to the IAVA policy memorandum, a DoD\n    Instruction was to be developed to formalize the IAVA process. However, as of\n    November 2000, the Instruction was still in draft form. The draft Instruction\n\n                                        6\n\x0c    states that the policy is applicable to all the information systems managed or\n    used by DoD Components. However, the Instruction defines roles and\n    responsibilities for only the C/S/As; it does not include the roles and\n    responsibilities of other DoD Components. The draft IAVA Instruction is also\n    vague in defining the common methodology for the Designated Approval\n    Authorities to assess risk when granting waivers and in who may be designated\n    as a C/S/A point of contact. Also, the draft Instruction does not require the\n    Designated Approval Authorities to document their assessment of an asset\xe2\x80\x99s\n    risk. The draft Instruction states that DISA will periodically report the\n    compliance status of the C/S/As and waivers to the Deputy Secretary of\n    Defense. Therefore, Designated Approval Authorities should maintain proper\n    documentation for risk assessments explaining why a waiver was granted for a\n    system asset. Also, the draft Instruction does not address how a system asset\n    will be monitored if a waiver is granted, so that the vulnerability is not exploited\n    before the corrective action is implemented. The draft Instruction states that\n    each C/S/A should designate a primary and secondary point of contact, but it\n    does not state the type of position or training that should be held by the points of\n    contact.\n\n    Status of Implementation Plan. The IAVA policy memorandum gave the\n    overall responsibility to ASD(C3I) to implement the IAVA policy to all the\n    C/S/As. As of November 2000, an overall DoD implementation plan had not\n    been developed. Without an overall DoD implementation plan, no set\n    guidelines were being followed or issued to the DoD Components on how to\n    register, report, and comply with the IAVA database in accordance with the\n    policy memorandum. Also, according to the Director, Infrastructure and\n    Information Assurance Directorate of ASD(C3I), the Directorate does not have\n    the authority to enforce the requirement that DoD Components register and\n    report compliance in accordance with the IAVA policy. The Infrastructure and\n    Information Assurance Directorate is responsible only for implementing the\n    IAVA policy.\n\n\n\nManagement of the IAVA Process\n\n    DISA Responsibilities. DISA is responsible for developing and maintaining the\n    IAVA process. The IAVA database system is used to track compliance and\n    statistics. Each DoD Component must register a point of contact in the database\n    to obtain a user identification name and password to ensure receipt of the IAVA\n    notification. The IAVA process provides DoD Components with a positive\n    control mechanism to ensure that system administrators receive, acknowledge,\n    and comply with alert notifications. Also, it should provide a method to\n    measure risk avoidance within the overall risk management framework. See\n    Appendix E for an explanation of the IAVA process.\n\n    IAVA Notification. The CERT is responsible for the integrity and availability\n    of elements and applications of the Defense Information Infrastructure. When\n\n\n                                         7\n\x0c    the CERT becomes aware of a vulnerability to DoD computer system assets, it\n    conducts research to determine:\n\n           \xe2\x80\xa2   the type of operating system affected,\n\n           \xe2\x80\xa2   the vulnerability of the application affected,\n\n           \xe2\x80\xa2   the ease of access to the system,\n\n           \xe2\x80\xa2   the type of threat imposed,\n\n           \xe2\x80\xa2   whether the infrastructure will be affected, and\n\n           \xe2\x80\xa2   whether the vulnerability has already been exploited.\n\n    Based on the results of the its research, the CERT will decide whether to issue\n    an IAVA, an Information Assurance Vulnerability Bulletin, or a Technical\n    Advisory. An IAVA is generated when a vulnerability is considered to be\n    severe and a known corrective action is available. An IAVA requires DoD\n    Components to acknowledge receipt of the alert notification and to report the\n    status of compliance within the specified timeframe. A Bulletin requires an\n    acknowledgment of alert notifications; it is issued for a vulnerability that is not\n    an immediate threat but which, if not corrected, could escalate to a more severe\n    problem. An Advisory does not have reporting requirements because it is\n    considered to be low risk.\n\n    When the type of alert has been determined, the CERT develops the IAVA\n    message and posts it on the CERT website. The IAVA message contains\n    technical specifics about the vulnerability and the corrective action to be taken.\n    DISA then disseminates an electronic message to all registered points of contact\n    who disseminate the IAVA throughout their organizations and report compliance\n    to the IAVA database within the established timeframe.\n\n\n\nEffects of IAVA Noncompliance\n\n    For the IAVA policy to be effective, all DoD Components must register with\n    the IAVA database and report compliance in accordance with specific guidance\n    outlined in the IAVA policy memorandum. Without effective implementation of\n    the IAVA policy, DoD Components cannot be assured of taking mitigating\n    actions to avoid serious compromises to computer system assets. As a result,\n    the reliability and effectiveness of the computer systems that are needed to\n    ensure successful mission performance could be potentially degraded. Not\n    maintaining positive control of vulnerability notifications and not applying the\n    necessary corrective actions increase risks to the DoD infrastructure.\n\n\n\n\n                                         8\n\x0cSummary\n\n    The IAVA policy requires DoD Components to register with the IAVA database\n    and report compliance to IAVA notifications. The compliance information must\n    be reported by stating the number of assets affected, the number of assets in\n    compliance, and the number of assets with waivers. As of November 2000, all\n    DoD Components that were required to register with the IAVA database had\n    registered. Furthermore, all DoD Components with the exception of the Army,\n    the Air Force, the Defense Security Service, and OSD, were reporting\n    compliance in accordance with the December 30, 1999, IAVA policy\n    memorandum. Both the Defense Security Service and OSD were working to\n    become fully compliant. ASD(C3I) was developing an Instruction to formalize\n    the IAVA process within DoD, but as of November 2000, the DoD Instruction\n    was still in draft form. In addition, ASD(C3I) had not finalized and approved an\n    internal OSD instruction outlining the IAVA process within OSD and its\n    umbrella organizations. Finalization of both instructions will help ensure\n    effective implementation of IAVA policy within DoD.\n\n\n\nRecommendations, Management Comments, and Audit\nResponse\n\n    Revised, Added, Deleted, and Renumbered Recommendations. As a result\n    of the Joint Staff comments, we revised draft Recommendation 1.b to include\n    training as part of the DoD implementation plan. We added\n    Recommendation 1.c. to require the Assistant Secretary of Defense (Command,\n    Control, Communications, and Intelligence) to finalize the internal OSD\n    Information Assurance Vulnerability Alert Instruction. We deleted draft\n    Recommendation 2. because those organizations will report their compliance\n    through the Office of the Secretary of Defense. Draft Recommendation 3. has\n    been renumbered as Recommendation 2.\n\n    1. We recommend that the Assistant Secretary of Defense, Command,\n    Control, Communications, and Intelligence, as DoD Chief Information\n    Officer:\n\n          a. Revise and expedite the release of the DoD Information Assurance\n    Vulnerability Alert Instruction to include language to define:\n\n                  (1) The roles and responsibilities for DoD Components.\n\n    Office of the Assistant Secretary of Defense (Command, Control,\n    Communications, and Intelligence) Comments. The Director, Infrastructure\n    and Information Assurance, concurred and stated that the draft DoD\n    Instruction O-8530.bb, \xe2\x80\x9cSupport to Computer Network Defense,\xe2\x80\x9d addresses the\n    responsibilities of the Assistant Secretary of Defense (Command, Control,\n\n                                       9\n\x0cCommunications and Intelligence) for vulnerability analysis, assessment\nnotification, reporting, and coordination. Once this draft instruction has been\nsigned, a separate DoD Instruction on Information Assurance Vulnerability\nReporting and Mitigation will be developed that will contain specific language to\ndefine the roles and responsibilities of DoD Components.\n\nThe Deputy Director, OSD Network Operations, provided comments concurring\nwith the report and specifically addressing implementation of the IAVA process\nwithin the Office of the Secretary of Defense.\n\n             (2) The types of positions and skills needed by the primary\nand secondary points of contact for DoD Components.\n\nOffice of the Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) Comments. The Director concurred and\nstated that any unique skills or training required to implement the vulnerability\nreporting and mitigation program will be identified.\n\n             (3) A common methodology of risk assessment for the\nDesignated Approval Authorities to document the risk-assessment\nmonitoring process when granting a waiver for an asset.\n\nOffice of the Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) Comments. The Director concurred with\nthe intent of defining a common methodology for risk assessment, but stated that\na separate risk assessment monitoring process was not required or appropriate\nbecause it is covered under DoD Instruction 5200.40, \xe2\x80\x9cDoD Information\nTechnology Security Certification and Accreditation Process,\xe2\x80\x9d December 30,\n1997.\n\nAudit Response. The Director\xe2\x80\x99s comments meet the intent of the\nrecommendation. No further comments are required.\n\n              (4) A methodology for the Designated Approval Authorities\nto monitor systems so that vulnerabilities may not be exploited.\n\nOffice of the Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) Comments. The Director concurred with\nthe intent of the recommendation, but stated that monitoring systems for\nvulnerabilities is not part of the Information Assurance Vulnerability Alert\nprocess. Draft DoD Directive 0-8530.aa states that an effective Computer\nNetwork Defense is predicated upon robust infrastructure and information\nassurance practices, including regular and proactive vulnerability analysis and\nassessment, and implementation of identified improvements. The Directive is\nscheduled to be signed prior to December 15, 2000.\n\nAudit Response. The Director\xe2\x80\x99s comments meet the intent of the\nrecommendation. No further comments are required.\n\n\n\n\n                                    10\n\x0c       b. Develop and disseminate a DoD implementation plan to DoD\nComponents that will provide full Information Assurance Vulnerability\nAlert registration, reporting, training, and compliance guidance.\n\nOffice of the Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) Comments. The Director concurred that\ndetails about Information Assurance Vulnerability Alert registration, reporting\nand compliance needed to be addressed, but stated that an implementation plan\nwas not required because the DoD Instruction on Information Assurance\nVulnerability Reporting and Mitigation will address those details.\n\nAudit Response. The Director\xe2\x80\x99s comments meet the intent of the\nrecommendation, providing the instruction adequately addresses the\nrequirements for Information Assurance Vulnerability Alert registrations,\nreporting, and compliance. Based on the Joint Staff comments, we revised the\nrecommendation to include training.\n\n       c. Finalize and approve the Office of the Secretary of Defense\ninstruction that outlines the roles and reporting responsibilities of the DoD\nComponents that will be reporting through the Office of the Secretary of\nDefense.\n\n2. We recommend that the Secretaries of the Army and Air Force; the\nCommandant of the Marine Corps; the Commanders of the U.S. European\nCommand, U.S. Southern Command, U.S. Special Operations Command,\nU.S. Transportation Command, and U.S. Strategic Command; the\nDirectors of the Ballistic Missile Defense Organization, Defense Advanced\nResearch Projects Agency, Defense Commissary Agency, Defense Contract\nAudit Agency, Defense Finance and Accounting Service, Defense\nIntelligence Agency, Defense Security Service, Defense Threat Reduction\nAgency, Joint Staff, National Imagery and Mapping Agency, and National\nReconnaissance Office report compliance by stating the number of assets\naffected, the number of assets in compliance, and the number of assets with\nwaivers, as stated in the Deputy Secretary of Defense policy memorandum.\n\nOffice of the Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) Comments. Although not required to\ncomment, the Director, Infrastructure and Information Assurance, stated that\nthis requirement will be specifically addressed in the DoD Instruction on\nInformation Assurance Vulnerability Reporting and Mitigation.\n\nU.S. Southern Command Comments. The Commander of the U.S. Southern\nCommand concurred and stated that due to operator error, the automated report\nfor Information Assurance Vulnerability Alert 2000-A-0003 was not submitted.\nHowever, the report has since been submitted and the U.S. Southern Command\nis fully compliant.\n\nDefense Advanced Research Projects Agency Comments. The Defense\nAdvanced Research Projects Agency concurred and stated that it had completed\ncorrective actions and reported compliance for the three Information Assurance\nVulnerability Alerts identified in the report. However, it felt that the response\n\n                                    11\n\x0ctime between incident identification and Information Assurance Vulnerability\nAlert issuance needed to be reduced. The Defense Advanced Research Projects\nAgency suggested measures that provide a proactive information security\nintelligence gathering activity through both open sources and polling easily\naccessible adversarial sources, rapid response to paid security vendor alerts, and\nwidespread informal liaison with other government, civilian, academic, and\ncommercial organizations.\n\nDefense Commissary Agency Comments. The Defense Commissary Agency\nconcurred and stated that it had complied with the Information Assurance\nVulnerability Alerts issued in 2000 and will continue the process when new\nInformation Assurance Vulnerability Alerts are issued.\n\nDefense Contract Audit Agency Comments. The Defense Contract Audit\nAgency responded that as of October 4, 2000, it was in compliance with the\nInformation Assurance Vulnerability Alerts issued in 2000 and asked that the\nupdated compliance status be included in the final report. The Defense Contract\nAudit Agency suggested that the Information Assurance Vulnerability Alert\ndatabase contain a field to identify whether an alert is open or closed.\n\nAudit Response. We updated Appendix D in the final report to reflect the\nupdated compliance status.\n\nDefense Finance and Accounting Service Comments. The Defense Finance\nand Accounting Service concurred and stated that it had updated the database\nand complied with the Information Assurance Vulnerability Alert process in\naccordance with the Deputy Secretary of Defense policy memorandum,\nDecember 30, 1999.\n\nDefense Security Service Comments. The Defense Security Service concurred\nand stated that it was in the process of defining the agency\xe2\x80\x99s strategy for\ncomplying with the Deputy Secretary of Defense policy memorandum. The\nstrategy will include establishing a Designated Approving Authority structure\nthat will grant accrediting authority to Regional Directors and help in expediting\nInformation Assurance Vulnerability Alerts to the regions. Another part of the\nstrategy is to implement a hierarchical structure of Information System Security\nOfficers, who will report the number of systems affected under their purview to\nthe agency\xe2\x80\x99s Information Assurance Vulnerability Alert point of contact. The\nfinal aspect of the strategy is to appoint Information System Security Managers,\nwho will provide support and oversight of the Information Assurance\nVulnerability Alert process.\n\nDefense Threat Reduction Agency Comments. The Defense Threat Reduction\nAgency stated that compliance was reported for the first two Information\nAssurance Vulnerability Alerts issued in 2000; however, for reasons unknown,\nthose entries were not reflected in the Information Assurance Vulnerability Alert\ndatabase. Since the draft report was issued, the Defense Threat Reduction\nAgency reentered the information and complied with the third Information\nAssurance Vulnerability Alert for 2000. The Defense Threat Reduction Agency\n\n\n\n                                    12\n\x0calso noted that ongoing confusion existed concerning the information entry\nrequirements and database problems with the Information Assurance\nVulnerability Alert reporting system.\n\nJoint Staff Comments. The Director, Joint Staff, concurred and stated that, in\nJune 2000, at the direction of the Chairman, Joint Chiefs of Staff, a\ncomprehensive review of the Commanders in Chief, Services, and Defense\nagencies Information Assurance Vulnerability Alert compliance was conducted.\nThe review led to an increased awareness of the Information Assurance\nVulnerability Alert reporting and compliance requirements by the Commanders\nin Chief, Services, and Defense agencies and an increased compliance. Any\ndiscrepancies noted in the review were corrected and, as of August 2000, the\nJoint Staff was fully compliant. The Director suggested that our\nrecommendation on the IAVA Implementation Plan be expanded to include\ntraining. The Director also mentioned that, in coordination with the Defense\nInformation Systems Agency and the U.S. Space Command, a determination\nwas being made to decide the feasibility of including the Joint Task Force-\nComputer Network Defense in the Information Assurance Vulnerability Alert\nprocess.\n\nAudit Response. In response to the Director\xe2\x80\x99s comments, we revised\nRecommendation 1.b. to include training.\n\nDoD Education Activity. The DoD Education Activity concurred and stated\nthat it was now in compliance with the Deputy Secretary of Defense policy\nmemorandum.\n\nArmy Comments. The Army did not comment on the recommendation. We\nrequest that the Army provide comments in response to the final report.\n\nAir Force Comments. The Air Force did not comment on the\nrecommendation. We request that the Air Force provide comments in response\nto the final report.\n\nOther Management Comments. The Marine Corps, the U.S. European\nCommand, the U.S. Special Operations Command, the U.S. Transportation\nCommand, the U.S. Strategic Command, the Ballistic Missile Defense\nOrganization, the Defense Intelligence Agency, the National Imagery and\nMapping Agency, the National Reconnaissance Office did not comment on a\ndraft of this report. However, since the Information Assurance Vulnerability\nAlert database, of November 6, 2000, showed that those organizations have now\nreported compliance in accordance to the Deputy Secretary of Defense policy\nmemorandum, no further response is required from those organizations.\n\n\n\n\n                                   13\n\x0cAppendix A. Audit Process\n\nScope and Methodology\n    Work Performed. We conducted research on DoD Component compliance to\n    the IAVA notifications, as directed by the Deputy Secretary of Defense IAVA\n    policy memorandum, issued December 30, 1999. We reviewed the Deputy\n    Secretary of Defense IAVA policy memorandum; the DoD draft IAVA\n    Instruction, dated January 18, 2000; and the DISA IAVA Process Handbook,\n    dated December 6, 1999.\n\n    We reviewed the actions taken by the Infrastructure and Information Assurance\n    Directorate in implementing the IAVA policy. We also reviewed DISA actions\n    to manage the IAVA process and disseminate IAVA notifications to the C/S/As.\n    We assessed the 31 DoD Components only to determine whether they registered\n    in the IAVA database and whether DoD Components, including the C/S/As, are\n    reporting compliance in the manner set forth in the IAVA policy. Our review\n    covered the periods from February 1998 through November 2000. During the\n    audit, we interviewed and contacted personnel from the Office of the ASD(C3I),\n    the Defense Information Assurance Program Office, and DISA.\n\n    Limitations to Scope. Our scope was limited because the IAVA policy had not\n    been fully implemented by all DoD components, and the DoD components were\n    not being required to report compliance in accordance to the IAVA policy\n    memorandum. We did not review the overall compliance to the IAVA\n    notifications; therefore, we did not include tests of management controls.\n\n    DoD-Wide Corporate Level Government Performance and Results Act\n    (GPRA) Coverage. In response to the GPRA, the Secretary of Defense\n    annually establishes DoD-wide corporate level goals, subordinate performance\n    goals, and performance measures. Although the Secretary of Defense has not\n    established any goals for Information Assurance, the General Accounting Office\n    lists it as a high risk area. This report pertains to Information Assurance as well\n    as to achievement of the following goals, subordinate performance goals, and\n    performance measures:\n\n           \xe2\x80\xa2   FY 2001 DoD Corporate Level Goal 2: Prepare now for an\n               uncertain future by pursuing a focused modernization effort that\n               maintains U.S. qualitative superiority in key warfighting capabilities.\n               Transform the force by exploiting the Revolution in Military Affairs,\n               and reengineer the Department to achieve a 21st century\n               infrastructure. (01-DoD-2)\n\n           \xe2\x80\xa2   FY 2001 Subordinate Performance Goal 2.5: Improve DoD\n               financial and information management. (01-DoD-2.5)\n\n           \xe2\x80\xa2   FY 2001 Performance Measure 2.5.3: Qualitative Assessment of\n               Reforming Information Technology Management. (01-DoD-2.5.3)\n\n                                        14\n\x0c    DoD Functional Area Reform Goals. Most major DoD functional areas have\n    also established performance improvement reform objectives and goals. This\n    report pertains to achievement of the following functional area objectives and\n    goals:\n\n           \xe2\x80\xa2   Information Technology Management. Objective: Ensure DoD\n               vital information resources are secure and protected. Goal: Build\n               information assurance framework. (ITM-4.1)\n\n           \xe2\x80\xa2   Information Technology Management. Objective: Ensure DoD\n               vital information resources are secure and protected. Goal: Assess\n               information assurance posture of DoD operational systems.\n               (ITM-4.4)\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in the Department of Defense. This report\n    provides coverage of the Information Management and Technology high-risk\n    area.\n\n    Use of Computer-Processed Data. We did not evaluate the general and\n    application controls of the DISA IAVA database that process DoD Component\n    compliance to the IAVA notifications, although we relied on data produced by\n    the database to conduct the audit. We did not evaluate the controls because the\n    focus of the audit was on the effectiveness of the implementation of the IAVA\n    policy. Not evaluating the controls did not affect the results of the audit.\n\n    Audit Type, Dates, and Standards. We performed this economy and\n    efficiency audit from March 2000 through November 2000, in accordance with\n    auditing standards issued by the Comptroller General of the United States, as\n    implemented by the Inspector General, DoD.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DoD. Further details are available on request.\n\nPrior Coverage\n    No prior coverage has been conducted on the subject during the last 5 years.\n\n\n\n\n                                       15\n\x0cAppendix B. Commanders in Chief, Services,\n            Defense Agencies, and Other DoD\n            Components Required to be\n            Registered Users\n\n\nCommanders in Chief\nU.S. Central Command\nU.S. European Command\nU.S. Pacific Command\nU.S. Southern Command\nU.S. Joint Forces Command\nU.S. Special Operations Command\nU.S. Space Command\nU.S. Strategic Command\nU.S. Transportation Command\n\nServices\nAir Force\nArmy\nMarine Corps\nNavy\n\nDefense Agencies\nBallistic Missile Defense Organization\nDefense Advanced Research Projects Agency\nDefense Commissary Agency\nDefense Contract Audit Agency\nDefense Finance and Accounting Service\nDefense Information Systems Agency\nDefense Intelligence Agency\n\n\n                                         16\n\x0cDefense Agencies (Cont\xe2\x80\x99d)\nDefense Logistics Agency\n   Defense Contract Management Agency*\nDefense Security Cooperation Agency\nDefense Security Services\nDefense Threat Reduction Agency\nNational Imagery and Mapping Agency\nNational Reconnaissance Office\nNational Security Agency/Central Security Service\n\nOther DoD Components\nInspector General, DoD\nJoint Staff\nOffice of the Secretary of Defense\n   Under Secretary of Defense for Acquisition, Technology, and Logistics*\n   Under Secretary of Defense for Policy*\n   Under Secretary of Defense (Comptroller and Chief Financial Officer)*\n   Under Secretary of Defense for Personnel and Readiness*\n   Assistant Secretary of Defense (Command, Control, Communications and\n     Intelligence)*\n   Assistant Secretary of Defense for Health Affairs*\n   Assistant Secretary of Defense for Intelligence Oversight*\n   Assistant Secretary of Defense for Legislative Affairs*\n   Assistant Secretary of Defense for Public Affairs*\n   Assistant Secretary of Defense for Reserve Affairs*\n   General Counsel*\n       Defense Legal Services Agency*\n   Executive Secretary of the Department of Defense*\n   Operational Test and Evaluation*\n\n\n\n\n                                          17\n\x0c Office of the Secretary of Defense (Cont\xe2\x80\x99d)\n    Program Analysis and Evaluation*\n    American Forces Information Services*\n    Defense Prisoner of War/Missing Personnel Office*\n    DoD Education Activity*\n    DoD Human Resources Activity*\n    Office of Economic Adjustment*\n    TRICARE Management Activity*\nWashington Headquarters Services\n\n\n*Note: The Defense Contract Management Agency; Under Secretary of Defense for Acquisition,\nTechnology, and Logistics; Under Secretary of Defense for Policy; Under Secretary of Defense\n(Comptroller and Chief Financial Officer); Under Secretary of Defense for Personnel and Readiness;\nAssistant Secretary of Defense (Command, Control, Communications and Intelligence); Assistant\nSecretary of Defense for Health Affairs; Assistant Secretary of Defense for Intelligence Oversight;\nAssistant Secretary of Defense for Legislative Affairs; Assistant Secretary of Defense for Public Affairs;\nAssistant Secretary of Defense for Reserve Affairs; General Counsel; Executive Secretary of the\nDepartment of Defense; Operational Test and Evaluation; Program Analysis and Evaluation; the Defense\nLegal Services Agency; American Forces Information Services; Defense Prisoner of War/Missing\nPersonnel Office; DoD Education Activity; DoD Human Resources Activity; Office of Economic\nAdjustment; and TRICARE Management Activity report compliance through other agencies; therefore,\nthey do not need to register with the IAVA database.\n\n\n\n\n                                                   18\n\x0cAppendix C. Acknowledgement of the\n            Information Assurance\n            Vulnerability Alerts (IAVA) Issued\n            in 2000\nThis appendix illustrates DoD Component acknowledgement of the three IAVAs issued\nin 2000. The data was obtained from the Non-secure Internet Protocol Routing\nNetwork IAVA database website (as of November 2000) and Secure Internet Protocol\nRouter Network IAVA database website (as of November 2000).\n\n                                            Information Assurance Vulnerability Alert Numbers\n                                            2000-A-0001.0.0-01   2000-A-0002.0.0-01   2000-A-0003.0.0-01\n                                              Acknowledged         Acknowledged         Acknowledged\nCommanders in Chiefs\nU.S. Central Command                               Yes                 Yes                  Yes\nU.S. European Command                              Yes                 Yes                  Yes\nU.S. Joint Forces Command                          Yes                 Yes                  Yes\nU.S. Pacific Command                               Yes                 Yes                  Yes\nU.S. Southern Command                              Yes                 Yes                  Yes\nU.S. Space Command                                 Yes                 Yes                  Yes\nU.S. Special Operations Command                    Yes                 Yes                  Yes\nU.S. Strategic Command                             Yes                 Yes                  Yes\nU.S. Transportation Command                        Yes                 Yes                  Yes\nServices\nAir Force                                          Yes                 Yes                  Yes\nArmy                                               Yes                 Yes                  Yes\nMarine Corps                                       Yes                 No                   Yes\nNavy                                               Yes                 Yes                  Yes\nDefense Agencies\nBallistic Missile Defense Organization             Yes                 Yes                  Yes\nDefense Advanced Research Projects Agency          Yes                 Yes                  Yes\nDefense Commissary Agency                          Yes                 Yes                  Yes\nDefense Contract Audit Agency                      Yes                 Yes                  Yes\nDefense Finance and Accounting Service             Yes                 Yes                  Yes\nDefense Information Systems Agency                 Yes                 Yes                  Yes\nDefense Intelligence Agency                        Yes                 Yes                  Yes\nDefense Logistics Agency                           Yes                 Yes                  Yes\nDefense Security Cooperation Agency                Yes                 Yes                  Yes\nDefense Security Services                          Yes                 Yes                  Yes\nDefense Threat Reduction Agency                    Yes                 Yes                  Yes\nNational Imagery and Mapping Agency                Yes                 Yes                  Yes\nNational Reconnaissance Office                     Yes                 Yes                  Yes\nNational Security Agency/Central Security          Yes                 Yes                  Yes\n   Service\n\n\n\n                                              19\n\x0c                                   Information Assurance Vulnerability Alert Numbers\n                                   2000-A-0001.0.0-01   2000-A-0002.0.0-01   2000-A-0003.0.0-01\n                                     Acknowledged         Acknowledged         Acknowledged\n\nOther DoD Components\nInspector General, DoD                    Yes                 Yes                  Yes\nJoint Staff                               Yes                 Yes                  Yes\nOffice of Secretary of Defense            Yes                 Yes                  Yes\nWashington Headquarters Services          Yes                 Yes                  Yes\n\n\n\n\n                                     20\n\x0cAppendix D. Compliance With the Information\n            Assurance Vulnerability Alerts\n            (IAVA) Issued in 2000\nThis appendix illustrates DoD Component compliance with the three IAVAs issued in\n2000. The data was obtained from the Non-secure Internet Protocol Routing Network\nIAVA database website (as of November 2000) and Secure Internet Protocol Router\nNetwork IAVA database website (as of November 2000).\n\n                                                             Information Assurance Vulnerability Alert Numbers\n                                                             2000-A-0001.0.0-01      2000-A-0002.0.0-01      2000-A-0003.0.0-01\n                                                                 Compliance              Compliance               Compliance\n                                                                 Reported in             Reported in              Reported in\n                                                                Accordance to           Accordance to            Accordance to\n                                                                IAVA Policy             IAVA Policy              IAVA Policy\nCommanders in Chiefs\nU.S. Central Command                                                 Yes                     Yes                     Yes\nU.S. European Command                                                Yes                     Yes                     Yes\nU.S. Joint Forces Command                                            Yes                     Yes                     Yes\nU.S. Pacific Command                                                 Yes                     Yes                     Yes\nU.S. Southern Command                                                No                      Yes                     Yes\nU.S. Space Command                                                   Yes                     Yes                     Yes\nU.S. Special Operations Command                                      Yes                     Yes                     No\nU.S. Strategic Command                                               Yes                     Yes                     Yes\nU.S. Transportation Command                                          Yes                     Yes                     Yes\nServices\nAir Force*                                                           No                      No                      No\nArmy*                                                                No                      No                      No\nMarine Corps                                                         Yes                     Yes                     Yes\nNavy                                                                 Yes                     Yes                     Yes\nDefense Agencies\nBallistic Missile Defense Organization                               Yes                     No                      Yes\nDefense Advanced Research Projects Agency                            Yes                     Yes                     Yes\nDefense Commissary Agency                                            Yes                     Yes                     Yes\nDefense Contract Audit Agency                                        Yes                     Yes                     Yes\nDefense Finance and Accounting Service                               Yes                     Yes                     Yes\nDefense Information Systems Agency                                   Yes                     Yes                     Yes\nDefense Intelligence Agency                                          Yes                     Yes                     Yes\nDefense Logistics Agency                                             Yes                     Yes                     Yes\nDefense Security Cooperation Agency                                  Yes                     No                      Yes\nDefense Security Service**                                           No                      No                      Yes\nDefense Threat Reduction Agency                                      No                      Yes                     Yes\nNational Imagery and Mapping Agency                                  Yes                     No                      Yes\nNational Reconnaissance Office                                       Yes                     Yes                     Yes\n* DoD Components not complying with the Deputy Secretary of Defense IAVA policy memorandum.\n** Defense Security Service is working to put an infrastructure in place to report the number of systems affected by the Information\nAssurance Vulnerability Alerts.\n\n                                                                21\n\x0c                                                              Information Assurance Vulnerability Alert Numbers\n                                                              2000-A-0001.0.0-01      2000-A-0002.0.0-01       2000-A-0003.0.0-01\n                                                                  Compliance               Compliance              Compliance\n                                                                  Reported in              Reported in             Reported in\n                                                                 Accordance to            Accordance to           Accordance to\n                                                                 IAVA Policy              IAVA Policy             IAVA Policy\nDefense Agencies (cont\xe2\x80\x99d)\nNational Security Agency/Central Security                             Yes                     Yes                      Yes\n   Service\nOther DoD Components\nInspector General, DoD                                                Yes                     Yes                      Yes\nJoint Staff                                                           Yes                     Yes                      Yes\nOffice of Secretary of Defense***                                     No                      No                       No\nWashington Headquarters Services                                      Yes                     Yes                      Yes\n*** The Office of the Secretary of Defense indicates in the Information Assurance Vulnerability Alert database that statistics will be\nreported after January 2001.\n\n\n\n\n                                                                 22\n\x0cAppendix E. The Information Assurance\n            Vulnerability Alert (IAVA) Process\n  Role of DISA DoD\n Computer Emergency\n   Response Team                                      Role of System\n       (CERT)           Role of Point of Contact      Administrator\n\n  Becomes aware of a\n  vulnerability\n\n\n  Posts vulnerability\n  information on        Receives notification\n  CERT website          message and checks the\n                        CERT website for details\n                        on the IAVA\n  Sends notification\n  message by\n  electronic mail\n                        Disseminates IAVA to\n                        system administrators of\n                        subordinate organizations\n                                                    Becomes aware of\n                                                    an IAVA\n                        Reports the\n                        acknowledgment within\n                        specified timeframe         Fixes the\n                        (normally 5 days) to the    vulnerability or\n                        IAVA database website       requests a waiver\n                                                    from the Designated\n                                                    Approval Authority\n                        Receives and aggregates\n                        compliance data\n                                                    Reports compliance\n\n                        Reports compliance to the\n                        IAVA database website\n                        within the specified\n                        timeframe (normally 30\n                        days)\n\n                                  23\n\x0cAppendix F. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Deputy Assistant Secretary of Defense (Deputy Chief Information Officer)\n\nJoint Staff\nDirector, Joint Staff\n\nDepartment of the Army\nAuditor General, Department of the Army\nChief Information Officer, Department of Army\n\nDepartment of the Navy\nCommandant, Marine Corps\nNaval Inspector General\nAuditor General, Department of the Navy\nChief Information Officer, Department of Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\nChief Information Officer, Department of Air Force\n\nUnified Commands\nCommander in Chief, U.S. European Command\nCommander in Chief, U.S. Pacific Command\nCommander in Chief, U.S. Joint Forces Command\nCommander in Chief, U.S. Southern Command\nCommander in Chief, U.S. Central Command\nCommander in Chief, U.S. Space Command\nCommander in Chief, U.S. Special Operations Command\n\n\n                                         24\n\x0cUnified Commands (cont\xe2\x80\x99d)\n\nCommander in Chief, U.S. Transportation Command\nCommander in Chief, U.S. Strategic Command\n\nOther Defense Organizations\nDirector, Ballistic Missile Defense Organization\nDirector, Defense Advanced Research Projects Agency\nDirector, Defense Commissary Agency\nDirector, Defense Contract Audit Agency\nDirector, Defense Contract Management Agency\nDirector, Defense Finance and Accounting Service\nDirector, Defense Information Systems Agency\nDirector, Defense Intelligence Agency\n   Inspector General, Defense Intelligence Agency\nDirector, Defense Legal Services Agency\nDirector, Defense Logistics Agency\nDirector, Defense Security Cooperation Agency\nDirector, Defense Security Service\nDirector, Defense Threat Reduction Agency\nDirector, National Security Agency\n   Inspector General, National Security Agency\nDirector, National Imagery and Mapping Agency\nDirector, National Reconnaissance Office\nDirector, American Forces Information Services\nDirector, Defense Prisoner of War/Missing Personnel Office\nDirector, Department of Defense Education Activity\nDirector, Department of Defense Human Resources Activity\nDirector, Office of Economic Adjustment\nDirector, TRICARE Management Activity\nDirector, Washington Headquarters Services\n\nNon-Defense Federal Organizations\nOffice of Management and Budget\n  Office of Information and Regulatory Affairs\n\n\n\n\n                                         25\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Management, Information, and Technology,\n  Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\n\n\n\n\n                                       26\n\x0cOffice of the Assistant Secretary of Defense\n(Command, Control, Communications, and\nIntelligence), Infrastructure and Information\nAssurance Comments\n\n\n\n\n                    27\n\x0c28\n\x0c29\n\x0c30\n\x0cOffice of the Assistant Secretary of Defense\n(Command, Control, Communications, and\nIntelligence), Defense Network Operations\nComments\n\n\n\n\n                    31\n\x0c32\n\x0c     Final Report\n       Reference\n\n\n\n\n     Deleted\n\n\n\n\n33\n\x0c34\n\x0cU.S. Southern Command Comments\n\n\n\n\n                35\n\x0cDefense Advanced Research Projects Agency\nComments\n\n\n\n\n                     36\n\x0c37\n\x0cDefense Commissary Agency Comments\n\n\n\n\n                       38\n\x0c39\n\x0cDefense Contract Audit Agency Comments\n\n\n\n\n                        40\n\x0cDefense Finance and Accounting Service\nComments\n\n\n\n\n                   41\n\x0c42\n\x0cDefense Security Service Comments\n\n\n\n\n                   43\n\x0c44\n\x0cDefense Threat Reduction Agency\nComments\n\n\n\n\n                  45\n\x0c               The Joint Staff Comments\n\nFinal Report\n Reference\n\n\n\n\nRevised\n\n\n\n\n                              46\n\x0c47\n\x0cDepartment of Defense Education Activity\nComments\n\n\n\n\n                         48\n\x0c49\n\x0c               Washington Headquarters Services Comments\n\nFinal Report\n Reference\n\n\n\n\nRevised\nPages 3 and\n18\n\n\n\n\n                             50\n\x0cAudit Team Members\n   The Acquisition Management Directorate, Office of the Assistant Inspector General for Auditing,\n   DoD, prepared this report.\n\n     Thomas F. Gimble\n     Mary L. Ugone\n     Robert K. West\n     Eleanor A. Wills\n     Lois J. Wozniak\n     Kelli M. Burkewitz\n\x0c'